Downloads, Hacking Tools, Reversing, Rootkit, Secure, Stealing, Token, VectorKernel, Windows

VectorKernel – PoCs For Kernelmode Rootkit Techniques Research

PoCs for Kernelmode rootkit techniques research or education. Currently focusing on Windows OS. All modules support 64bit OS only.


Some modules use ExAllocatePool2 API to allocate kernel pool memory. ExAllocatePool2 API is not supported in OSes older than Windows 10 Version 2004. If you want to test the modules in old OSes, replace ExAllocatePool2 API with ExAllocatePoolWithTag API.



All modules are tested in Windows 11 x64. To test drivers, following options can be used for the testing machine:

  1. Enable Loading of Test Signed Drivers

  2. <a href="–cdb–or-ntsd”>Setting Up Kernel-Mode Debugging

Each options require to disable secure boot.


Detailed information is given in in each project’s directories. All modules are tested in Windows 11.

Module NameDescription
BlockImageLoadPoCs to block driver loading with Load Image Notify Callback method.
BlockNewProcPoCs to block new process with Process Notify Callback method.
CreateTokenPoCs to get full privileged SYSTEM token with ZwCreateToken() API.
DropProcAccessPoCs to drop process handle access with Object Notify Callback.
GetFullPrivsPoCs to get full privileges with DKOM method.
GetProcHandlePoCs to get full access process handle from kernelmode.
InjectLibraryPoCs to perform DLL injection with Kernel APC Injection method.
ModHidePoCs to hide loaded kernel drivers with DKOM method.
ProcHidePoCs to hide process with DKOM method.
ProcProtectPoCs to manipulate Protected Process.
QueryModulePoCs to perform retrieving kernel driver loaded address information.
StealTokenPoCs to perform token stealing from kernelmode.


More PoCs especially about following things will be added later:

  • Notify callback
  • Filesystem mini-filter
  • Network mini-filter

Recommended References

Source : KitPloit – PenTest Tools!

Previous ArticleNext Article
Send this to a friend